Issued badge information page should state user name on the page

Details

To test, you need to have some Moodle badges issued as well as backpack with some badges connected to your account.

1. When you click on issued Moodle badge page (badge.php), you should see "Recipient information" as the first set set of badge info. It shows user full name and their email.

If the user has backpack connected, this email should be backpack email. Otherwise, it is Moodle account email.

2. When you click on any of external badges from the backpack (external.php), you should also see "Recipient information" with full name of the user which matches recipient email.

In some cases, it might be not possible to validate the recipient (this is also not supposed to happen). For example, this might happen if badges salt for hashing emails changed after the badge was issued. In this case you should see the message "Current user cannot be verified as a recipient of this badge". This doesn't mean that the badge is not valid, it just means that we cannot be 100% sure that user is showing us a valid badge.

To test, you need to have some Moodle badges issued as well as backpack with some badges connected to your account.
1. When you click on issued Moodle badge page (badge.php), you should see "Recipient information" as the first set set of badge info. It shows user full name and their email.
If the user has backpack connected, this email should be backpack email. Otherwise, it is Moodle account email.
2. When you click on any of external badges from the backpack (external.php), you should also see "Recipient information" with full name of the user which matches recipient email.
In some cases, it might be not possible to validate the recipient (this is also not supposed to happen). For example, this might happen if badges salt for hashing emails changed after the badge was issued. In this case you should see the message "Current user cannot be verified as a recipient of this badge". This doesn't mean that the badge is not valid, it just means that we cannot be 100% sure that user is showing us a valid badge.

Yuliya Bozhko
added a comment - 17/Jul/13 10:56 PM Hi Helen,
That's a good point! I never actually thought about that as I always assumed that some user is getting to a badge page from another user profile, or recipient page. Will make sure To add that
Yuliya

Dan Poltawski
added a comment - 02/Sep/13 5:43 AM Hi Yuliya,
I'm sending this for integration along with MDL-40924 so that we can split the testing of this issue into two issues.
Please could you provide some testing instructions for this change (based on the patch you've given me).
thanks
Dan

I have an account which has a badge given by the site (localhost), and also have badges shown from my Mozilla backpack. Now, when I click on one of the external badges I am shown the email address associated with that backpack (unrelated note - is this a security issue?), which is what is expected, but am also shown this email when I view an internal badge, rather the internal Moodle email address for that user. Is this correct? You state "If the user has backpack connected, this email should be backpack email. Otherwise, it is Moodle account email." but was not sure if this was just the case for external badges or all badges.

Mark Nelson
added a comment - 04/Sep/13 3:13 AM Hi Yuliya,
I am going to fail this to be on the safe side.
I have an account which has a badge given by the site (localhost), and also have badges shown from my Mozilla backpack. Now, when I click on one of the external badges I am shown the email address associated with that backpack (unrelated note - is this a security issue?), which is what is expected, but am also shown this email when I view an internal badge, rather the internal Moodle email address for that user. Is this correct? You state "If the user has backpack connected, this email should be backpack email. Otherwise, it is Moodle account email." but was not sure if this was just the case for external badges or all badges.
Thanks.

Once the backpack is connected, all badges email is always user backpack email. When you disconnect backpack, it should be your Moodle email and it is shown only in internal badges (because you can't show your external badges without backpack).

Yuliya Bozhko
added a comment - 04/Sep/13 3:16 AM Hi Mark,
Sorry for being not very clear in tests.
Once the backpack is connected, all badges email is always user backpack email. When you disconnect backpack, it should be your Moodle email and it is shown only in internal badges (because you can't show your external badges without backpack).

Mark Nelson
added a comment - 04/Sep/13 3:18 AM There was also an issue with being able to view the badge even when the user was deleted.
Steps to replicate -
Assign an internal badge to a user.
Visit their profile.
Copy the link to the badge.
Delete them from Moodle.
Visit the URL you copied earlier.

Now, that I think about that, users are actually not deleted from the system at all. I expected it to show that message when a user cannot be found, but in this case no other information will be found either. So, that part of test is probably wrong...

Yuliya Bozhko
added a comment - 04/Sep/13 3:25 AM - edited Now, that I think about that, users are actually not deleted from the system at all. I expected it to show that message when a user cannot be found, but in this case no other information will be found either. So, that part of test is probably wrong...
I updated testing instructions. Sorry, for the hassle...

I can still see the name of the deleted user when viewing their badge. The information is still available in the user table, but the deleted flag is set to 1 to indicate that have been deleted. Should you be checking on this page for this value?

Mark Nelson
added a comment - 04/Sep/13 3:43 AM I can still see the name of the deleted user when viewing their badge. The information is still available in the user table, but the deleted flag is set to 1 to indicate that have been deleted. Should you be checking on this page for this value?

I guess it is a separate issue, because we don't really delete neither users nor badges. User that doesn't exist in the system should still be able to access badges issued in the system.

I will create a separate tracker issue to decide how to handle deleted users. It is correct how it works right now. We don't want students who graduated and are no longer a part of institution (and therefore, Moodle web site) to lose access to their badges information.

P.S. Also, the biggest problem (which is currently true without this fix), if we don't show user information on the badge page (even if the user was deleted), then anyone can access this page, share it with someone else, and say that it is their badge even if it is not true.

Yuliya Bozhko
added a comment - 04/Sep/13 3:49 AM - edited I guess it is a separate issue, because we don't really delete neither users nor badges. User that doesn't exist in the system should still be able to access badges issued in the system.
I will create a separate tracker issue to decide how to handle deleted users. It is correct how it works right now. We don't want students who graduated and are no longer a part of institution (and therefore, Moodle web site) to lose access to their badges information.
P.S. Also, the biggest problem (which is currently true without this fix), if we don't show user information on the badge page (even if the user was deleted), then anyone can access this page, share it with someone else, and say that it is their badge even if it is not true.

Dan Poltawski
added a comment - 05/Sep/13 7:05 AM Congratulations! This change has been integrated upstream and is now available from our git and download mirrors. To celebrate, here is a joke:
A SQL query goes into a bar, walks up to two tables and asks, "Can I join you?"